Steven Phillips on 10 Jan 2010 06:37:22 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Internet Antivirus Pro Scamware

WHOOOHOOOO! A topic I can finally contribute to!

I've cleaned out about 6 or 8 boxes with this crap on it in recent weeks.
What you need to do is clean out every temporary folder in every user account, and all the contents of the temporary folders in the windows folder. Empty the prefetch folder too. Check the hosts file, because some variants will write an entry to a malevolent dns server for all the popular search engines. Look for av2009 also. You'll have to use the fix.reg to unlock regedit. I usually use the Pmagic live disk and leaf pad to create this file on the desktop as well as manual file deletion and editing the hosts file.


create file using a text editor

Copy and paste everything into the editor between the x's making regedit4 the top line.
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


If you can keep it from loading from all the temp folders, you can clean it up fairly easily, it's just time consuming.

Download and install Malwarebytes Anti Malware from cnet.

download and install Windows Defender from Uncle Winkie's website (M$), not because I have any confidence in it's efficiency, but because it offers and easy way to delete programs from starting up. Much better than using msconfig.

Let us know how you make out,


Message: 1
Date: Sat, 09 Jan 2010 17:29:29 -0500
From: JP Vossen <>
Subject: [PLUG] Edit Windows Registry from Linux LiveCD?
Message-ID: <">>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

A cousin has gotten "Internet Security 2010" and our initial t-shooting
has failed.  The malware is still resident in Safe Mode, and it will not
allow a DOS prompt, regedit or even notepad to run.  We tried: Start,
Run, Notepad; Start, Progs, Accessories, Notepad; And browsing to
C:\Windows and double-clicking notepad.exe.  All failed.

So I'm going to have him burn an Ubuntu LiveCD, install SSH server and
I'll SSH in and delete files per  Something
like (untested):

mount /dev/sda1 /mnt    # Assuming his Windows XP is on /dev/sda1
rm -rf /mnt/c
rm -rf /mnt/Program?Files/InternetSecurity2010
find /mnt -iname 'IS2010.exe' \
       -o -iname '41.exe' \
       -o -iname 'winhelper86.dll' \
       -o -iname 'winlogon86.exe' \
       -o -iname 'winupdate86.exe' \
       -o -iname 'Internet Security 2010.lnk' | xargs echo rm
cd windows/system32/config/
cp -av default  REG_BACKUP.default
cp -av security
cp -av software
cp -av system   REG_BACKUP.system
cp -av sam      REG_BACKUP.sam

I'd also like to clean up the registry a bit, so any ideas how to do
that from the LiveCD?  Various places found via Google suggest running a
Windows-based third-party RegEdit tool under Wine, and this looks
promising (worked in a VM anyway, though I didn't test writing):
PCRegedit  is a Linux Live CD based, easy-to-use tool to create, delete,
edit the windows registry key-values without booting from Windows.

Any other ideas for cleaning up the malware?  (I haven't seen the PC but
it's old, running XP, and he has no CDs for it, I suspect it's some old
whitebox.  I doubt he updates it, and he was using IE and Outlook
Express.  He did have Comcast's Macafee A/V on it.)

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --